Don Thibeau's Blog

Menu

Monthly Archives: June 2014

By all accounts our Economics of Identity series of workshops are off to a successful start. We kicked the series off in London where standing room only attendees “voted with their feet” by staying attentive to the end and where we generated more buzz than bloviation.

150+ attendees from private sector took to their seats on 9th June, when OIX UK presented the Economics of Identity hosted at the KPMG offices Canary Wharf, London. With a focus on uncovering what identity is worth to the UK economy, £3.3bn was the headline figure presented by Ctrl-Shift in their OIX white paper of the same name.

Panel discussions centered around the Identity Assurance Programme (IDAP) model of citizen, money and living, with Francis Maude, Minister for the Cabinet Office, and Chris Ferguson, Deputy Director of the Identity Assurance Programme, taking the stage first to talk about how the citizen’s needs are at the heart of making identity assurance work. What followed where speakers from banking, mobile, retail and startups, being quizzed in detail by columnist and editor Alex Howard, MC for the event, on their expert opinions.

The results of the UK’s first mobile network operator, collaborative alpha trial were warmly received by the audience, a demonstration showing the concept of enhancing the customer experience using PIN numbers and your mobile device to support identity verification, showing just how easy this could be.

The tweets were fast and furious through the day. Here are some of my favorites:

Francis Maude @cabinetofficeuk: ‘We’re building trust by being open – the sunlight of transparency is making things better.’ #econID

@ahatami @LloydsBankCB: ‘We have to solve the #identity problem – not the customer. We cannot burn the customer with complexity.’

Innovate Identity @innovate_ID: ‘What a great event congrats to @OIXUK for organisation #econID all the thought leaders in digital identity there!

@drdrmc: ‘The SMEs will see #identityassurance as an opportunity to showcase their innovation adapting it into their business model.’

Video and presentations from the event are posted on the OIX UK website and over the coming weeks, additional footage will be added including pictures and illustrations depicting key points made at the conference. The “pipeline” Open Identity Exchange White Papers that preceded and followed the event are now available.

We followed the workshop in London with the second Economics of Identity event at the Gates Center at the University of Washington on June 23rd where we took on the topic of the role of “Big Data and IPR” in the value chains we described in London. I’ll share more details on the success of that event in another blog.

We’re now building the agendas for the Economics of Identity workshops in Washington, DC on September 23rd. And the fourth event is scheduled for February 2015 in Silicon Valley with a focus on the venture capital flooding into the identity space. More details on both of these events on my blog and on the OIX site as we get closer to these dates.

I blogged about a new OIX White Paper we’ve just published, “Exploring the Role of Mobile Identity Assurance”, by Nick Foggin. The paper summarizes the outcomes from the UK’s first mobile network operator alpha trial. Nick’s experience in publishing an OIX White Paper reflected the value of an objective expert’s assessment and an insider’s view of one of the hottest areas of identity.

I’ve talked about how the OIX White Paper approach is more “silver buckshot” than “silver bullets” in that they are always pragmatic and objective. They often times trigger responses from other OIX members or the community at large.

Soon after publishing Nick’s white paper, I received the first of many reviews from Scott Rice, PacificEast COO. Scott is a well-regarded data scientist in the telco space and is Chair of the OIX Telecom Data Trust Framework Working Group.

Scott’s review is an informed and passionate response to Nick’s paper and is in the spirit of OIX’s “silver buckshot” approach to OIX White Papers:

I have just finished reading a whitepaper written by Nick Foggin and published by the Open Identity Exchange that details the recent Digital Identity Assurance trial undertaken by the UK Government. “Exploring the Role of Mobile in Digital Identity” outlines what the UK Government, OIX and the GSMA have learned about using mobile phones to authenticate into a prototype UK Government system. The UK is trying to move as much citizen/government interaction (services, information, taxation, healthcare, etc.) away from face-to-face and paper transactions to digital, semi-automated transactions. While a laudable effort in streamlining and cost cutting little details like how-to-ensure-the-person-trying-to-get-the-government-service-is-the-actually-person-they-claim-to-be can often plague such ventures.

However, in this case, the UK Government is acting more as organizer and general contractor instead of as a primary developer; pulling in commercial expertise so they don’t take all the money they hope to save and just spend it to hire yet another 1000 programmers to re-invent yet another set of wheels. Kudos to the Cabinet Office on that strategy, but also to Nick for a detailed, well-written paper. These are complex issues and even more complex implementations. I look forward to pointing people to this whitepaper who are looking for a summary of the concepts related to one of our company’s passions: telco based identity verification.

A couple sentences especially stood out. “The majority of trial participants were unconcerned about the use of MNO-held data as a means of verifying their identity. Most commonly, trial participants took the view that since the data was to be used solely for the purposes of verifying their identity, the risk of misuse was minimal.”

For many years I have advocated the concept that fraud and ID theft grows, like mushrooms, in the dark. In light of an almost daily barrage of news stories detailing the most recent million or hundred million identities to have been stolen there is an understandable yet very wrong tendency to believe the hiding identity information will keep it safe.

The opposite is actually true. There is information that no one needs to know and information that everyone needs to know and information that just a few need to know.

In the past I have used the analogy of ID being like a key to your house. If you everyone has the key, the house isn’t safe. But if no one has the key, the house isn’t safe either because either everyone can enter or not one can. A key works only if a restricted set of people have access to it. Identity information is like that. If no one has enough information to vouch for whether or not you are who you say you are, then your identity is worthless. But if everyone has that information and can pretend to be you, then your identity is also worthless. The system only works if a few, trusted organizations have access to that information but can be easily queried by those with whom you do business. Your identity is your key. It’s not something you want to lose. But neither is it something you want to hide away so secretly that even you can’t use it.

I was struck by the simplicity of the statement in the white paper… “The majority of trial participants were unconcerned”. Most of the participants understood instinctively that there are organizations, like their mobile carriers, in whom they must place a certain amount of trust just to use their product. It is clear that these test participants appreciated the fact that the carriers were one of those few entities in which they have placed trust. Certainly carriers aren’t always the most popular companies with which consumers conduct business and in whom they must place their trust. But maybe consumer opinion toward these carriers will improve if they demonstrate they can provide these consumer-focused services for little more reward than the knowledge they are being responsible stewards of one of the consumer’s keys.

I look forward to any additional feedback from readers with regard to Nick’s white paper and/or Scott’s response. As always, please let me know if there are any current identity issues that you feel OIX can add value by addressing via a OIX White Paper.

You have likely heard me preach about the value of OIX White Papers at an event or via my blogs in the past. OIX White Papers are more “ silver buckshot” than “silver bullets” in that they are always pragmatic, objective and take one of two perspectives: a retrospective report on the outcome of a given project or pilot or a prospective discussion on a current issue or opportunity. They are authored by independent domain experts and are published on all OIX websites and thus freely available.

Today we published “Exploring the Role of Mobile Identity Assurance” white paper by Nick Foggin. This white paper summarizes the outcomes from the UK’s first mobile network operator alpha trial. Mobile phones are becoming the device of choice for digital transactions. The UK Cabinet Office wanted to catalyze the role UK mobile network operators might play in establishing trust in such digital transactions.

The development and publishing process with Nick was so unique that he documented his personal experience in developing the white paper in the blog below:

When I was asked to write a white paper for the OIX on the subject of the recently completed alpha trial – in which the UK’s four major mobile operators (MNOs) and five Identity Assurance Providers (IDPs) participated – I was, to be frank, skeptical. The very concept of a 9-way cooperation sounded improbable at best, and I approached the situation with considerable nervousness. I was concerned that the parties would have collided rather than collaborated. Finding something meaningful and interesting to write about within such a context was likely to be challenging, I reasoned.

My preconceptions, it turns out, were entirely wrong. Brought together at the invitation of the Cabinet Office, and supported by the OIX and the GSMA, the organisations involved had not only managed to collaborate productively with one another, but also, they had managed to create something entirely innovative and exciting. The purpose of the alpha trial was to examine ways in which mobile could be used to enhance the identity assurance services that IDPs have been contracted to develop by the Cabinet Office. This was an experimental process, and there was no guarantee that the participants would agree on or develop anything at all. The fact that they emerged from the process with a solution that appears – at least on the face of it – to add substantial value, is remarkable.

So what does the solution do? In short, the solution adds a new layer of security and surety to already robust processes. The IDPs have developed solutions that allow each individual / citizen to create a secure identity, for use in accessing government services on the internet. These identities have a high level of assurance – that is to say that the IDPs are able to verify the data that individuals submit when creating an identity, and assure themselves that the individual making a claim on an identity is in fact the individual to which the identity relates. To make use of these identities, individuals use a username and password, and a PIN code, which is sent to their mobile phone (they submit their mobile phone number as part of the registration process). There are a couple of challenges in this approach: firstly the IDPs are not able to independently verify that the mobile number submitted is the right one; secondly, the PIN code methodology used (one-time passcode) is not necessarily the most secure approach available.

So the MNOs and the IDPs – working together – came up with a new approach. They substituted the one-time password solution with a secret PIN solution, based on wireless PKI. That change alone would likely have added to the robustness of an already secure solution. But they didn’t stop there. They also created a platform via which IDPs could (a) verify that the mobile phone number submitted by an individual is correct, and (b) request other attributes relating to an individual whenever their IDP identity is invoked. But importantly, both such uses of MNO-held customer data require specific consent to be granted by the individual. The solution effectively asks the individual “do you mind if we ask your mobile operator to confirm that this is your mobile number?” when registering, and when making use of their IDP identity, the individual might be asked “do you mind if we ask your mobile operator confirm that your phone has not been reported lost or stolen?” The ability to access MNO-held customer data is potentially extremely valuable for the IDPs – once customer consent has been granted, it allows for a real-time check of various attributes, to complement detailed but historical data, such as credit reference information, to which IDPs also have access. But most importantly, the approach benefits individuals. First and foremost, it makes identity theft and associated fraud materially more difficult. Secondly, it actually makes sign in easier: instead of having to input a username, and password, and one-time passcode, the user only has to enter their mobile phone number via the browser on their PC or tablet, and complete the sign in process on their mobile phone by entering their secret four-digit PIN. In the knowledge that the MNO-held data would only be used as a means of verifying their identity, the individuals involved in trialing the solution were happy for their data attributes to be shared.

To me, the most important part of the solution is its inherent differentiation. It places the individual at the centre of all processes, and asks for consent every time their identity is invoked and attributes are passed. This is a welcome departure from much of what happens online today in the name of identity management.

Putting the customer at the centre of the solution didn’t happen by accident. Before the participants in the alpha trial even began thinking about what the technology or data could do, they drew up a set of guiding principles to inform the whole process. Without listing them out here, the confluence of those principles was transparency. If data relating to an individual is required, ask for consent – and be specific. The solution goes as far as detailing what information is being requested from the MNO, and why.

So, my preconceptions suitably shattered, I found myself involved in writing up a process that – though far from perfect – was genuinely dynamic and exciting. Of course there were clashes of opinions and personalities. There were periods of frustration and distraction. And there remains a very long way to go. But as first steps go, the alpha trial represents a long and sure-footed one, and one that I very much enjoyed writing about. I hope the white paper manages to convey what I found, and the importance that it holds.

Thank you, Nick, for capturing the results of the alpha trials in the UK and documenting your experience for the OIX community. We often get reactions to published OIX White Papers and Nick’s paper is no exception. My next blog will share a reaction to Nick’s paper.